Responding to the section about the PII bar...
A b
I expect we will still recommend a proposal if it requires some
training, so to maximize the chances of passing, I don't think I'll try
for no training.
B a
The second clause is redundant, since it's impossible to
complete the bootstrap scenario without entering a petname.
B b
This attention sequence can be the exact same one used by the
form fillers built into today's web browsers; therefore I expect the use
rates to be the same.
B c
Don't understand
B d
Don't understand
B e
I think this is saying the same thing as:
<http://www.w3.org/2006/WSC/drafts/rec/#piieditor-expected-tendency>
B f
The petname is not intended as a defense against
Picture-in-Picture attacks. The PII data strings and the chrome
customization provides this defense. There's no expectation that a
petname will be globally unique or hard to guess. For example, choosing
the petname "paypal" for the Paypal.com site is perfectly reasonable.
C a 1
The attention key used in the PII bar is *not* a secure
attention key. It's perfectly fine if users don't know if or how they
entered it. The attention key is merely a convenient shortcut to get
keyboard focus into the PII bar. For example, using the down arrow key,
as browsers currently do to activate the form filler, is perfectly fine.
Alernatively, it's also fine for users to just use the mouse to move the
input focus to the PII bar.
C a 2
Again, petnames are not expected to be unique or unguessable.
Everyone could use the exact same petname and that would be fine. The
important feature of a petname is that it came from the user, rather
than the named entity. It's about the name assignment process, not the
text characters in the name. The petname names who the user thinks they
are interacting with. This name MUST come from the user, rather than the
named entity, since a phisher would choose to have the petname of the
impersonated site.
The bootstrap phase of the PII bar integrates entry of the
petname with authentication of the site. The browser's form filler only
becomes accessible after passing through the bootstrap phase. Partial
completion of the bootstrap phase is not an option. It's either all the
way through, or nothing at all, so balking at the entry of the petname
is not really an option.
C b 1
The only difference in user actions between the PII bar form
filler and today's form fillers is the distance of the drop down menu
from the input field. Key press and/or mouse click counts should be
identical. By putting the PII bar form filler menu at the bottom of the
window, the user can throw the mouse in the same way they do to access
the menu bar, or back/forward buttons. Alternatively, the attention key
does this navigation in one keystroke.
C b 2
We should put together some more detailed spoofing scenarios.
D
I agree. It would be nice if Mozilla, or Microsoft, or another
browser vendor, would host a code sprint for this WG to bootstrap this
effort. I'm willing to do the coding, but could use some help finding
the needed APIs. For example, AFAICT, IE7 still does not provide an API
to access the SSL certificate.
--Tyler
--
[1] "RecommendationUsabilityEvaluationFirstCut - W3C Web Security
Context Wiki"
<http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstC
ut#head-19caf4993d486f3f77f40171acc200d22fbf016e>
________________________________
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Rachna Dhamija
Sent: Tuesday, July 31, 2007 6:22 PM
To: W3 Work Group
Subject: first cut usability walk through
The usability group is starting to analyze the proposed recommendations.
Our first goal is to clearly state the expected user behavior in each
proposal and to map this to what is known from previous studies.
Proposal authors: Did we capture your expected user behavior correctly?
Is there anything you disagree with or would like to add?
http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstCu
t
(Note: this is a work in progress- each write up is by a different
author and does not represent consensus by our group yet).
Rachna